diff --git a/configure.ac b/configure.ac index b6c560b1..f36d512f 100644 --- a/configure.ac +++ b/configure.ac @@ -2,7 +2,7 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ([2.62]) -AC_INIT([shifter], [18.03.0], [shifter-hpc@googlegroups.com]) +AC_INIT([shifter], [18.03.3], [shifter-hpc@googlegroups.com]) AC_CONFIG_SRCDIR([src/shifter_core.h]) AC_CONFIG_HEADERS([config.h]) AC_CONFIG_AUX_DIR([auxdir]) diff --git a/extra/CI/integration_test.sh b/extra/CI/integration_test.sh index 74ff3c13..6d9f4fc2 100755 --- a/extra/CI/integration_test.sh +++ b/extra/CI/integration_test.sh @@ -83,6 +83,9 @@ shifterimg pull ubuntu:16.04 shifterimg lookup ubuntu:16.04 ls /images +echo "var/tmp exists" +ls -ld /var/tmp + echo "Ensure container gets basic setup" python $CIDIR/integration/test_shifterConfig_format.py ubuntu:16.04 diff --git a/shifter.spec b/shifter.spec index 547608dd..00462f67 100644 --- a/shifter.spec +++ b/shifter.spec @@ -13,12 +13,14 @@ %{!?systemd_requires: %global _without_systemd --without-systemd} %endif +%{!?shifter_release: %global shifter_release 1.nersc%{?dist}} + %{?_with_slurm: %global with_slurm %{_prefix}} Summary: NERSC Shifter -- Containers for HPC Name: shifter -Version: 18.03.2 -Release: 1.nersc%{?dist} +Version: 18.03.3 +Release: %{shifter_release} License: BSD (LBNL-modified) Group: System Environment/Base URL: https://github.com/NERSC/shifter diff --git a/src/VolumeMap.c b/src/VolumeMap.c index 6da115a2..ad9b75ed 100644 --- a/src/VolumeMap.c +++ b/src/VolumeMap.c @@ -67,6 +67,7 @@ int validateVolumeMap_userRequest( const char *to, VolumeMapFlag *flags) { + const char *toExactAllowed[] = {"/var/tmp", NULL}; const char *toStartsWithDisallowed[] = { "/etc", "/var", "etc", "var", "/opt/udiImage", "opt/udiImage", NULL }; @@ -76,8 +77,9 @@ int validateVolumeMap_userRequest( size_t allowedFlags = VOLMAP_FLAG_READONLY | VOLMAP_FLAG_PERNODECACHE; return _validateVolumeMap( - from, to, flags, toStartsWithDisallowed, toExactDisallowed, - fromStartsWithDisallowed, fromExactDisallowed, allowedFlags + from, to, flags, toExactAllowed, toStartsWithDisallowed, + toExactDisallowed, fromStartsWithDisallowed, fromExactDisallowed, + allowedFlags ); } @@ -86,6 +88,7 @@ int validateVolumeMap_siteRequest( const char *to, VolumeMapFlag *flags) { + const char *toExactAllowed[] = { NULL }; const char *toStartsWithDisallowed[] = { NULL }; const char *toExactDisallowed[] = { "/opt", "opt", @@ -105,8 +108,9 @@ int validateVolumeMap_siteRequest( | VOLMAP_FLAG_PRIVATE; return _validateVolumeMap( - from, to, flags, toStartsWithDisallowed, toExactDisallowed, - fromStartsWithDisallowed, fromExactDisallowed, allowedFlags + from, to, flags, toExactAllowed, toStartsWithDisallowed, + toExactDisallowed, fromStartsWithDisallowed, fromExactDisallowed, + allowedFlags ); } @@ -585,6 +589,7 @@ int _validateVolumeMap( const char *from, const char *to, VolumeMapFlag *flags, + const char **toExactAllowed, const char **toStartsWithDisallowed, const char **toExactDisallowed, const char **fromStartsWithDisallowed, @@ -628,25 +633,32 @@ int _validateVolumeMap( return 4; } - for (ptr = toStartsWithDisallowed; *ptr != NULL; ptr++) { + /* checking "from" before "to" since the "to" checks can return early */ + for (ptr = fromStartsWithDisallowed; *ptr != NULL; ptr++) { size_t len = strlen(*ptr); - if (strncmp(to, *ptr, len) == 0) { + if (strncmp(from, *ptr, len) == 0) { return 1; } } - for (ptr = toExactDisallowed; *ptr != NULL; ptr++) { - if (strcmp(to, *ptr) == 0) { + for (ptr = fromExactDisallowed; *ptr != NULL; ptr++) { + if (strcmp(from, *ptr) == 0) { return 1; } } - for (ptr = fromStartsWithDisallowed; *ptr != NULL; ptr++) { + + for (ptr = toExactAllowed; *ptr != NULL; ptr++) { + if (strcmp(to, *ptr) == 0) { + return 0; + } + } + for (ptr = toStartsWithDisallowed; *ptr != NULL; ptr++) { size_t len = strlen(*ptr); - if (strncmp(from, *ptr, len) == 0) { + if (strncmp(to, *ptr, len) == 0) { return 1; } } - for (ptr = fromExactDisallowed; *ptr != NULL; ptr++) { - if (strcmp(from, *ptr) == 0) { + for (ptr = toExactDisallowed; *ptr != NULL; ptr++) { + if (strcmp(to, *ptr) == 0) { return 1; } } diff --git a/src/VolumeMap.h b/src/VolumeMap.h index c0575585..e9bb668b 100644 --- a/src/VolumeMap.h +++ b/src/VolumeMap.h @@ -105,6 +105,7 @@ int _validateVolumeMap( const char *from, const char *to, VolumeMapFlag *flags, + const char **toExactAllowed, const char **toStartsWithDisallowed, const char **toExactDisallowed, const char **fromStartsWithDisallowed, diff --git a/src/shifter_core.c b/src/shifter_core.c index f3968d3d..8df485e5 100644 --- a/src/shifter_core.c +++ b/src/shifter_core.c @@ -625,6 +625,7 @@ int prepareSiteModifications(const char *username, _MKDIR("var", 0755); _MKDIR("var/spool", 0755); _MKDIR("var/run", 0755); + _MKDIR("var/tmp", 0755); _MKDIR("var/empty", 0700); _MKDIR("proc", 0755); _MKDIR("sys", 0755); @@ -948,6 +949,12 @@ int prepareSiteModifications(const char *username, mntBuffer[PATH_MAX-1] = 0; _BINDMOUNT(&mountCache, "/tmp", mntBuffer, 0, 1); + /* mount /var/tmp, checking if executable as an existance check */ + if (access("/var/tmp", X_OK) == 0) { + snprintf(mntBuffer, PATH_MAX, "%s/var/tmp", udiRoot); + mntBuffer[PATH_MAX-1] = 0; + _BINDMOUNT(&mountCache, "/var/tmp", mntBuffer, 0, 1); + } #undef _MKDIR #undef _BINDMOUNT diff --git a/src/test/test_VolumeMap.cpp b/src/test/test_VolumeMap.cpp index 90116714..cf43789a 100644 --- a/src/test/test_VolumeMap.cpp +++ b/src/test/test_VolumeMap.cpp @@ -261,6 +261,9 @@ TEST(VolumeMapTestGroup, ValidateVolumeMap_basic) { ret = validateVolumeMap_userRequest("/test1Loc", "/var/log", NULL); CHECK(ret != 0); + ret = validateVolumeMap_userRequest("/test1Loc", "/var/tmp", NULL); + CHECK(ret == 0); + ret = validateVolumeMap_userRequest("/test1Loc", "/opt", NULL); CHECK(ret != 0);